Skip to content

Commit

Permalink
pin composite action to main; remove pull_request_target trigger
Browse files Browse the repository at this point in the history
  • Loading branch information
@amitchell-moz
amitchell-moz committed Dec 19, 2024
1 parent a56bb2a commit d54d0a4
Show file tree
Hide file tree
Showing 2 changed files with 160 additions and 8 deletions.
155 changes: 155 additions & 0 deletions .github/actions/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
# GHA does not support dynamic outputs for matrix jobs https://github.com/orgs/community/discussions/26639
# This composite action is a workaround to allow modules to be separately versioned w/o a bunch of hacks
# Whenever https://github.com/actions/runner/pull/2477#issuecomment-2445640849 lands, this can be folded back in
name: 'version-and-doc'
description: 'handle version bumps & doc generation for TF modules monorepo'
inputs:
package-name:
description: 'Package to version bump & doc'
required: true
changelog-entry:
description: 'Changelog contents from PR body'
required: true
release-type:
description: 'Semver release type'
required: true
outputs:
new-version:
description: "Version after bumping"
value: ${{ steps.new-version.outputs.result }}
runs:
using: "composite"
steps:
- name: Render terraform docs inside the README.md and push changes back to PR branch
uses: terraform-docs/[email protected]
with:
working-dir: ${{ inputs.package-name }}
output-file: README.md
git-push: "true"
config-file: .terraform-docs.yml
- name: Checkout all tags
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect previous version number
id: prev-version
env:
PACKAGE_NAME: ${{ inputs.package-name }}
shell: bash
run: |
git fetch --tags
TAG=$(git for-each-ref --sort=-creatordate --count 1 --format="%(refname:short)" "refs/tags/$PACKAGE_NAME-[0-9].[0-9].[0-9]")
if [ -z "$TAG" ] ; then
echo "No git tag found for $PACKAGE_NAME, using 0.0.0 as previous version"
echo "result=0.0.0" >> "$GITHUB_OUTPUT"
exit 0
fi
TAG_VERSION="${TAG#*-}"
echo "TAG_VERSION = $TAG_VERSION"
SEMVER_REGEX="^[0-9].[0-9].[0-9]$"
if [[ $TAG_VERSION =~ $SEMVER_REGEX ]] ; then
echo "$TAG is valid semver, using it"
echo "result=${TAG_VERSION}" >> "$GITHUB_OUTPUT"
exit 0
else
echo "Error: $TAG does not end in a valid semver"
exit 1
fi
- name: Determine new version number
uses: actions/github-script@v7
id: new-version
env:
PREV_VERSION: ${{ steps.prev-version.outputs.result }}
RELEASE_TYPE: ${{ inputs.release-type }}
with:
script: |
const { PREV_VERSION, RELEASE_TYPE } = process.env;
console.log('Previous version was', PREV_VERSION);
console.log('Release type is', RELEASE_TYPE);
const numbers = PREV_VERSION.split('.');
const numberIdx = ['major', 'minor', 'patch'].indexOf(RELEASE_TYPE);
numbers[numberIdx] = parseInt(numbers[numberIdx]) + 1;
for (let i = numberIdx + 1; i < numbers.length; i++) {
numbers[i] = 0;
}
return numbers.join('.');
result-encoding: string
- name: Store version numbers
shell: bash
run: |
mkdir output
echo '${{ steps.prev-version.outputs.result }}' > output/previous-version.txt
echo '${{ steps.new-version.outputs.result }}' > output/new-version.txt
- name: Upload version artifacts
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.package-name }}
path: output
retention-days: 5
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Sparse checkout unmodified changelogs from main
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.base.ref }}
repository: ${{ github.event.pull_request.base.repo.full_name }}
sparse-checkout: '${{ inputs.package-name }}/'
path: 'old'
- name: Write changelogs(s)
env:
CHANGELOG_ENTRY: ${{ inputs.changelog-entry }}
PACKAGE_NAME: ${{ inputs.package-name }}
NEW_VERSION: ${{ steps.new-version.outputs.result }}
shell: bash
run: |
ORIGINAL_CHANGELOG_PATH="old/$PACKAGE_NAME/CHANGELOG.md"
NEW_CHANGELOG_PATH="$PACKAGE_NAME/CHANGELOG.md"
# Trim off "s that sneak in when passing multiline GHA outputs
CHANGELOG_ENTRY=`sed -e 's/^"//' -e 's/"$//' <<<"$CHANGELOG_ENTRY"`
if [ -f "$ORIGINAL_CHANGELOG_PATH" ] ; then
echo "Changelog already exists for $PACKAGE_NAME, prepending to it"
# Newline literal to pass to sed since it doesn't like /n
nl=$'\n'
sed -i "1i ${CHANGELOG_ENTRY} ${nl}" "$ORIGINAL_CHANGELOG_PATH"
sed -i "1i ## ${NEW_VERSION} ${nl}" "$ORIGINAL_CHANGELOG_PATH"
mv "$ORIGINAL_CHANGELOG_PATH" "$NEW_CHANGELOG_PATH"
else
echo "No existing changelog found for $PACKAGE_NAME, creating one"
echo -e "## $NEW_VERSION" > "$NEW_CHANGELOG_PATH"
echo -e "$CHANGELOG_ENTRY" >> "$NEW_CHANGELOG_PATH"
fi
echo "New changelog contents:"
cat "$NEW_CHANGELOG_PATH"
- name: Commit changelogs(s)
env:
PACKAGE_NAME: ${{ inputs.package-name }}
PR_BRANCH: ${{ github.event.pull_request.head.ref }}
GH_TOKEN: ${{ github.token }}
shell: bash
run: |
git pull # In case we have multiple changelog updates
FILE_TO_COMMIT="$PACKAGE_NAME/CHANGELOG.md"
if ! git diff --quiet --exit-code $FILE_TO_COMMIT ; then
### Signed commit workaround - if we do a normal `git commit` here, it will be unsigned
# GHA doesn't have a good native way to sign commits (https://github.com/actions/runner/issues/667)
# Commits submitted via the API do get signed, so do that instead - adapted from https://gist.github.com/swinton/03e84635b45c78353b1f71e41007fc7c
echo "Committing changes to CHANGELOG.md"
TODAY=$( date -u '+%Y-%m-%d' )
MESSAGE="Automated changelog for $PACKAGE_NAME"
SHA=$( git rev-parse $DESTINATION_BRANCH:$FILE_TO_COMMIT )
gh api --method PUT /repos/:owner/:repo/contents/$FILE_TO_COMMIT \
--field message="$MESSAGE" \
--field branch="$PR_BRANCH" \
--field content=@<( base64 -i $FILE_TO_COMMIT ) \
--field sha="$SHA"
else
echo "No changes to CHANGELOG.md"
exit 0
fi
13 changes: 5 additions & 8 deletions .github/workflows/monorepo.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,7 @@ concurrency: #avoid concurrent runs on label events, might cause issues on supe

on:
pull_request:
types: [opened, synchronize, reopened, labeled, unlabeled]
pull_request_target:
types: [closed]
types: [opened, closed, synchronize, reopened, labeled, unlabeled]

permissions:
pull-requests: read
Expand All @@ -24,12 +22,11 @@ jobs:
directories: ${{ steps.condense.outputs.result }}
release-type: ${{ steps.check_pr_label.outputs.release-type}}
is-merge-event: >-
${{ github.event_name == 'pull_request_target'
${{ github.event_name == 'pull_request'
&& github.event.action == 'closed'
&& github.event.pull_request.merged == true }}
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
# I'm getting the labels from the API and not the context("contains(github.event.pull_request.labels.*.name, 'Env Promote')") as the labels
Expand Down Expand Up @@ -149,10 +146,10 @@ jobs:
- name: Checkout repository to use composite action
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
ref: main # Only use composite action from main to prevent malicious PRs
# Do the per-module steps in a composite action because matrixes can't handle dynamic outputs
- name: Generate docs and version bump
uses: ./.github/workflows/actions/
uses: mozilla/terraform-modules/.github/actions@main
with:
package-name: ${{ matrix.directory }}
changelog-entry: ${{ steps.changelog.outputs.result }}
Expand Down

0 comments on commit d54d0a4

Please sign in to comment.